[AOLSERVER] AOLServer 4.x blindly reporting X-Forwarded-For value in logs
I've been meaning to write about this for a while: When I switched from AOLserver 3.x to 4.0 a few years ago, I noticed that the IP address in the log file no longer always matches what [ns_conn peeraddr] reports. ns_conn seems to always report the actual IP address of the user, whereas the log files will gladly accept whatever is in the X-Forwarded-For header that the client sends, even if it's forged or nonsensical.This makes it difficult to detect and track bot behavior and other abuses. A significant portion of bot activity on my site is logged as 127.0.0.1, unknown, 10.0.0.50 or other similar false values. Is there any way to make AOLserver log the real IP address and ignore the X-Forwarded-For header? -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] AOLServer 4.x blindly reporting X-Forwarded-For value in logs
There is no built-in setting to log or not log forwarded headers. It's not difficult to change, but it requires a little programming. If you are comfortable with C, you can edit nslog/nslog.c and change the behaviour with X-Forwarded-For (it's at nslog.c:272 in my copy). You could disable the check and always log the real ip, log both the real and forwarded header, or make it dependent on a config file setting. If you write code that uses a config setting, it might be worth adding to the standard codebase, as I doubt you're the first one to run across this. Alternately, you could do it in tcl code, by setting up a trace filter (with ns_register_filter) that writes out a different log file with exactly what you need. -J Hossein Sharifi wrote: I've been meaning to write about this for a while: When I switched from AOLserver 3.x to 4.0 a few years ago, I noticed that the IP address in the log file no longer always matches what [ns_conn peeraddr] reports. ns_conn seems to always report the actual IP address of the user, whereas the log files will gladly accept whatever is in the X-Forwarded-For header that the client sends, even if it's forged or nonsensical.This makes it difficult to detect and track bot behavior and other abuses. A significant portion of bot activity on my site is logged as 127.0.0.1, unknown, 10.0.0.50 or other similar false values. Is there any way to make AOLserver log the real IP address and ignore the X-Forwarded-For header? -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] AOLServer 4.x blindly reporting X-Forwarded-For value in logs
Hello! You can use HAProxy or other reverse-proxy for more performance and logging. Best regards, Alexey Pechnikov. http://pechnikov.tel/ -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] AOLServer 4.x blindly reporting X-Forwarded-For value in logs
Just a heads up - One possible side-effect could be that if you have a proxy in place in front of your aolserver, you might lose the ability to track unique ip's, and just catch the proxy's ip. Most modern proxy's set the x- forwarded-for to enable you to delineate end-user ips. -j On Aug 18, 2009, at 2:33 PM, Jeff Rogers wrote: There is no built-in setting to log or not log forwarded headers. It's not difficult to change, but it requires a little programming. If you are comfortable with C, you can edit nslog/nslog.c and change the behaviour with X-Forwarded-For (it's at nslog.c:272 in my copy). You could disable the check and always log the real ip, log both the real and forwarded header, or make it dependent on a config file setting. If you write code that uses a config setting, it might be worth adding to the standard codebase, as I doubt you're the first one to run across this. Alternately, you could do it in tcl code, by setting up a trace filter (with ns_register_filter) that writes out a different log file with exactly what you need. -J Hossein Sharifi wrote: I've been meaning to write about this for a while: When I switched from AOLserver 3.x to 4.0 a few years ago, I noticed that the IP address in the log file no longer always matches what [ns_conn peeraddr] reports. ns_conn seems to always report the actual IP address of the user, whereas the log files will gladly accept whatever is in the X- Forwarded-For header that the client sends, even if it's forged or nonsensical.This makes it difficult to detect and track bot behavior and other abuses. A significant portion of bot activity on my site is logged as 127.0.0.1, unknown, 10.0.0.50 or other similar false values. Is there any way to make AOLserver log the real IP address and ignore the X-Forwarded-For header? -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. Joseph Kondel Doer of Deeds, Gentleman of Leisure (c) 202-262-8964 -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank. smime.p7s Description: S/MIME cryptographic signature
